Splunk Dev

REST query for saved searches only returns owner="nobody" results

the4tress
Engager

I am trying to build an application that leverages our Splunk Enterprise
setup using Python. I want to get a list of all saved searches (reports),
then get a list of the results of those searches. When I connect to Splunk
via the API and query for saved searches it only returns searches owned by
"nobody", but when I view the searches in the Web UI I see all the searches
saved by everybody.

How can I view the searches saved by everybody, or even a specific user?

Here is a very basic version of what I'm trying to do:

import splunklib.client as client
import splunklib.results as results

CONNECT_DICT = {
    'username': removed,
    'password': removed,
    'host': removed,
    'port': removed
}

service = client.connect(**CONNECT_DICT)

saved_searches = service.saved_searches

for saved_search in saved_searches:
    print "%s: %s" % (saved_search.name, saved_search['search'])

Thanks for any info.

Tags (2)
0 Karma
1 Solution

strive
Influencer

By default the API returns the saved searches present in current namespace. See this link http://dev.splunk.com/view/python-sdk/SP-CAAAEK2#listsaved the section "To list saved searches" will help you to retrieve what you need. You should create a separate service class.

for overview on namespaces read this. http://dev.splunk.com/view/python-sdk/SP-CAAAEBB#namespaces

View solution in original post

strive
Influencer

By default the API returns the saved searches present in current namespace. See this link http://dev.splunk.com/view/python-sdk/SP-CAAAEK2#listsaved the section "To list saved searches" will help you to retrieve what you need. You should create a separate service class.

for overview on namespaces read this. http://dev.splunk.com/view/python-sdk/SP-CAAAEBB#namespaces

the4tress
Engager

Thanks @strive. That got me one step closer. I'm having permissions issues on my service account now. It doesn't have permission to access other user's saved searches.

I posted the question here: http://answers.splunk.com/answers/149067/permissions-issue-access-saved-searches

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...